I'm currently working on packaging
Rainbow<http://wiki.laptop.org/go/Rainbow>, an implementation of the
Bitfrost <http://wiki.laptop.org/go/OLPC_Bitfrost> security
spesification. Rainbow runs user-level desktop applications with the
same level of resource isolation already used with a variety of system
daemons, giving each application instance its own UID, GID, and
persistent storage directory.

In order to function, Rainbow requires a NSS module, libnss-rainbow, to
be installed and enabled in /etc/nsswitch.conf.

From what I can tell (as seen on bug
388864<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=388864> ),
libnss-mdns modifies /etc/nsswitch.conf directly as part of its
postinst. I thought this wasn't allowed by Debian policy, but if I'm
misunderstanding I'm more than happy to adopt their solution.

libnss-mdns 0.10-3.1 currently in Sid contains the following:
---- README.Debian ----
Previously the base-files package shipped /etc/nsswitch.conf and specified:
hosts: files dns mdns
However, due to bug#351990, this is no longer the case. /etc/nsswitch.conf
is now generated post-installation. Upon installation of nss-mdns, if the
strings 'mdns', 'mdns_minimal', 'mdns4', 'mdns4_minimal', 'mdns6' or
'mdns6_minimal' appear on the hosts line, your /etc/nsswitch.conf file
will not be updated, otherwise it will updated to match the upstream
recommended configuration which usually looks like:
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
---- README.Debian ----

Perhaps you could do similar arrangements until a unified solution is
found.

On Ubuntu AuthClientConfig <https://wiki.ubuntu.com/AuthClientConfig>
seems to serve a similar purpose. Assuming the above workaround was not
acceptable, would porting ACC to Debian and using that hook in my
package be so?

I don't know that tool (and have no time to investigate it currently) so
can't comment on that at the moment.

Please CC me, as I'm not subscribed to this list.

You _are_ subscribed to the OLPC list at Alioth, so I've just made sure
to include that one :-)